Bulk Actions Authorizations
|
Since 4.8
This functionality is available since version 4.8.
|
This describes authorizations required to run bulk actions.
Bulk actions in midPoint allow users to execute operations on many objects at once, making large-scale management tasks faster and more efficient. Because such operations can affect many objects simultaneously, midPoint requires both the standard object authorization and an additional bulk-action authorization.
To enable users to run bulk actions, you need to grant them:
-
Authorization to run bulk actions -
http://midpoint.evolveum.com/xml/ns/public/security/authorization-bulk-3. You can grant this bulk authorization either for:-
Individual actions, such as
assign,unassign,delete,resolve.
For example, when you grant thehttp://midpoint.evolveum.com/xml/ns/public/security/authorization-bulk-3#assignauthorization to users, they will be able to execute theassignaction in bulk. -
Or for all bulk actions using the following authorization -
http://midpoint.evolveum.com/xml/ns/public/security/authorization-bulk-3#all. This allows users to execute all bulk actions, such asassign,unassign,delete,resolve, etc.
-
-
Access to the actual objects on which bulk actions are executed.
The object authorizations do not always correspond directly to the bulk action authorizations. The minimum required object authorizations for each bulk action are listed in the table below.For example, to be able to resolve objects in bulk, you need the
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#getauthorization for those individual objects.In some cases, it may be necessary to fetch an actual object beforehand, or specify additional parameters for an action. This may require additional authorizations. For example, if you need to resolve objects before modifying them, you will not only need privileges for the
resolveandmodifyactions, but you will also need the objectgetandmodifyauthorizations.Bulk action Required object model authorization Depends on the actual bulk action that is executed.
assignfor the request phase, andmodifyfor the execution phase.Depends on the executed script.
Depends on the executed expression.
No authorization required.
modifyrecomputeaddNo authorization required.
deleteunassignfor the request phase, andmodifyfor the execution phase.modifymodifymodifyresumeTaskmodifyNo authorization required.
getNo authorization required.
No authorization required.
No authorization required.
No authorization required.
read, or alternatively,searchandget.Note that primary names of actions are used, e.g.,
generate-valueas opposed togenerateValue.For more information on actions, see Actions (midPoint scripting language).
For details regarding model authorizations, see IDM Model Authorizations and MidPoint Authorization Configuration.
|
Before midPoint 4.8, the |